Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle

Re: Verifying passwords have been changed in oracle

From: I.A. Saez <i.a.saez.scheihingGEENSPAM_at_tue.nl>
Date: Thu, 07 Nov 2002 15:04:03 +0100
Message-ID: <3DCA72D3.9E82997B@tue.nl> 





Stephen,



In both options you will have to log in the database (using system or sys).
So, if the installer


changed the password you will be able to login using the passwords you expect
after a installation. From the exterior (without connecting to oracle) you
can't determin if the password is changed.
About option 2: in our 8i and 7343 databases (I'm not sure about 9i)  the
encryption of system's password is the same . If you know the encryption of
manager in a database then you know the encryption in any database.



kind regards,



Ivan



Stephen Harris wrote:



> I know questions like this have been asked a number of times in the

> past, but I haven't found an answer that works...

>

> We are beginning to deploy Oracle 9.2.0.1.0 systems in our environment.

> We want to ensure the installer _has_ changed the SYS and SYSTEM password

> from the defaults.  We are developing an automated audit script which will

> be run (as SYSDBA) to check this sort of thing.

>

> Previous answers given to this appear to be:

>

>   Option 1: attempt to connect as system/manager.

>

>   Downside: auditing of these accounts will be strict.  Showing additional

>     login success or fail attempts will help obfuscate any real audit

>     alert oddities.  Our security team has complained about this

>

>   Option 2: attempt to change the password, check teh crypt string, change

>     it back

>

>   Downside: Apart from a small window where the password may be wrong, we

>     have password verification functions in place which means we _can't_

>     set MANAGER as the password; the password change fails when I attempt

>     to do  'alter user system identified by manager' because there are no

>     digits or whatever else the verification function requires.  There is

>     no way I'll be allowed to disable that temporarily!

>

> So I need another way of verifying the current password is no longer the

> default value.   Any ideas are much appreciated.

>

> Thanks!

>

> --

>                                  Stephen Harris

>                               sweh_at_spuddy.mew.co.uk

>       The truth is the truth, and opinion just opinion.  But what is what?

>        My employer pays to ignore my opinions; you get to do it for free.

Received on Thu Nov 07 2002 - 08:04:03 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US